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Abstract:  Spin-Torque  Transfer  RAM  (STTRAM),  although 
promising,  suffers  from  high  write  latency  and  write  current. 
Additionally,  the  latency  and  current  depends  on  the  polarity 
of  the  data  being  written.  These  factors  introduce  security 
vulnerabilities  and  expose  the  cache  memory  to  side  channel 
attacks.  In  this  paper,  we  propose  a  side  channel  attack 
(SCA)  model  where  the  adversary  can  monitor  the  supply 
current  of  the  memory  array  to  partially  identify  the  sensi¬ 
tive  cache  data  that  is  being  read  or  written.  We  propose 
solutions  such  as  short  retention  STTRAM,  obfuscation  of 
SCA  using  1 -bit  parity,  multi-bit  random  write,  and,  neutral¬ 
izing  the  SCA  using  constant  current  write  driver  to  mitigate 
such  attacks. 

Keywords:  Side  Channel  Attack;  Last  Level  Cache; 
STTRAM;  Data  Privacy;  Magnetic  Tunnel  Junction. 

Introduction 

Spin-Torque  Transfer  RAM  (STTRAM)  [1]  is  a  promising 
candidate  for  Last  Level  Cache  (LLC)due  numerous  benefits 
such  as  high-density,  non-volatility,  high-speed,  low-power 
and  CMOS  compatibility.  Fig.  1  shows  the  STTRAM  cell 
schematic  with  Magnetic  Tunnel  Junction  (MTJ)  as  the  stor¬ 
age  element.  The  MTJ  contains  a  free  and  a  pinned  magnetic 
layer.  The  resistance  of  the  MTJ  stack  is  high  (low)  if  free 
layer  magnetic  orientation  is  anti-parallel  (parallel)  com¬ 
pared  to  the  fixed  layer.  The  MTJ  can  be  toggled  from  paral¬ 
lel  to  anti-parallel  (or  vice  versa)  by  injecting  current  from 
source-line  to  bitline  (or  vice  versa).  The  data  in  MTJ  is 
stored  in  the  form  of  magnetization.  The  data  stored  is  ‘  V  if 
the  free  layer  magnetization  is  anti-parallel  to  fixed  layer 
magnetization  and  40’  if  they  are  parallel.  The  read/write 
latency  of  MTJ  depends  on  the  size  of  the  device,  current 
passing  through  the  layers  as  well  as  on  process  variation. 

Although  promising,  STTRAM  is  vulnerable  towards  ambi¬ 
ent  parameters  like  magnetic  field  and  temperature,  which 
can  be  employed  to  tamper  with  the  stored  data.  The  free 
layer  of  MTJ  flips  under  the  influence  of  external  magnetic 
field  which  can  be  exploited  by  the  adversary  to  launch 
magnetic  attacks  using  a  horseshoe  magnet  or  an  electro¬ 
magnet  [2].  The  switching  of  MTJ  depends  on  the  ambient 
temperature,  at  high  temperature  the  MTJ  resistance  reduces 
resulting  in  high  read  and  write  current  [3].  The  increased 
read  current  leads  to  read  disturb  failures,  where  the  bits  are 
accidentally  flipped  during  read  operation.  The  temperature 
can  also  be  exploited  to  extend  the  persistence  of  the 
memory  [7].  The  persistent  user  data  in  non-volatile  cache 
can  also  be  compromised  by  launching  unauthorized  read 
and  write  operation,  and  probing  the  data  buses  after  the 


Fig.  1  Schematic  of  STTRAM  bitcell  showing  MTJ. 


authentic  user  has  logged  off.  The  persistent  data  leaving  the 
cache  can  also  be  accessed  by  probing  the  data  bus  between 
the  cache  and  main  memory  [4]. 

Traditional  cache  attacks  can  also  be  extended  for  STTRAM 
such  as,  (a)  micro -probing,  where  conductors  are  attached  to 
the  chip  surface  directly  to  interfere  with  the  integrated  cir¬ 
cuit;  (b)  radiation  imprinting,  where  the  contents  are  burned 
in  using  X-Ray  radiation  to  prevent  overwriting  or  erasing  of 
stored  data;  (c)  optical  probing,  where  a  laser  is  shinned  on 
the  surface  resulting  in  activating  the  underlying  circuit.  The 
active  components  glow,  which  can  then  be  used  to  interpret 
the  stored  data. 


In  this  work,  we  investigate  the  Simple  Power  Analysis 
(SPA)  based  SCA,  to  decipher  the  contents  of  the  STTRAM 
LLC  by  monitoring  the  current  drawn  from  the  supply  dur¬ 
ing  read  and  write  operations.  The  fact  that  STTRAM  is 
associated  with  high  write  latency,  high  write  current  and 
asymmetry  (polarity  dependent)  of  writes,  makes  it  vulnera¬ 
ble  to  SCA  that  can  compromise  data  privacy  and  integrity. 
The  current  in  a  circuit  can  be  measured  by  inserting  a  small 
resistance  in  series  with  the  Vdd  or  ground  rail  and  measur¬ 
ing  the  voltage  drop  across  it.  Sophisticated  devices  can  be 
used  to  sample  the  voltages  at  high  rates  (1GHz)  with  excel¬ 
lent  accuracy  (<  1%  error)  [5].  The  system  level  illustration 
of  the  die  and  the  regulated  power  supply  is  shown  in  Fig. 
2(a).  Although  on-chip  regulators  have  been  investigated, 
due  to  its  limited  presence  in  ICs  makes  SPA-based  attacks 
non-trivial. 


Fig.  2(d)  shows  the  variation  of  supply  current  when  a  512b 
word  is  written  into  the  LLC.  In  order  to  mimic  the  power 
signature  of  a  processor  core,  we  implement  15,  17,  19  and 
21 -stage  ring-oscillators  and  instantiate  those  250  times.  We 
note  the  change  in  the  DC  current  level  upon  bit-flip  from 
all-0  to  all-1  which  is  a  direct  indication  of  the  value  of  data 
being  written. 


STTRAM  Vulnerabilities  and  Attack  Models 

A.  Read/Write  Latency: 

The  write  latency  of  STTRAM  is  a  function  of  thermal  sta¬ 
bility  factor  (At)  and  is  susceptible  to  process  variation  (PV) 
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Fig.  2  (a)  System  level  view  comprising  of  CPU,  LLC  and  external  voltage  regulator,  (b) 
Write  latency;  (c)  read  latency  distribution  of  an  8MB  STTRAM  cache  under  process  varia¬ 
tion.  (d)  Power  signature  of  an  example  system  consisting  of  4  flavors  of  ring-oscillators 
(250  each)  to  mimic  CPU  along  with  a  512b  word  STTRAM  LLC.  (e)  Supply  current  wave¬ 
form  (y-axis  values  are  negative)  for  write  T;  (f)  write  ‘O’,  and  (g)  read  operations 


o 
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Read  current  for  a  4-bit  read  operation 


Fig.  3  Read  currents  for  4-bit  read  operation 

[6],  thus  causing  some  bits  to  suffer  from  excessive  high 
read  and  write  latencies.  Fig.  2(b-c)  shows  the  read  and  write 
latency  distribution  of  a  40nmx40nmx4nm  STTRAM  under 
PV.  This  high  read  and  write  latency  provides  a  larger  attack 
window  to  the  adversary.  By  monitoring  the  current  wave¬ 
forms,  the  adversary  can  not  only  predict  the  number  of  0’s 
and  l’s  in  the  new  data  that  is  being  written  but  can  also 
predict  the  previous  data  by  sampling  the  current  just  after 
the  wordline  is  asserted.  The  adversary  samples  the  current 
during  the  attack  window  shown  in  Fig.  2(h).  Thus,  data 
dependency  of  current  reveals  the  stored  and  new  data  and 
higher  latency  facilitates  the  attack.  Additionally,  the  attack 
window  available  to  identify  the  old  and  new  data.  Further¬ 
more,  larger  word  size  increases  the  total  current  which 
makes  the  attack  easier  for  the  adversary. 

B.  Read/Write  Current: 

STTRAM  resistance  is  high  (low)  during  state  ‘1’  (‘0’).  Fig. 
2(e)  shows  the  supply  current  waveform  for  single  bit  write 
‘F  when  the  previous  value  stored  is  ‘O’.  Initially  the  current 
is  high  (STTRAM  resistance  low)  and  it  goes  low  after  suc¬ 
cessful  write.  Fig.  2(f)  shows  the  supply  current  waveform 


for  write  ‘0’  with  previous  value  stored  as  ‘1’,  in  this  case 
the  current  is  initially  low  and  goes  high  after  successful 
write.  The  high  and  low  states  of  current  are  very  distinct 
and  they  reveal  the  information  about  the  previous  and  new 
data.  The  read  current  is  comparatively  less  than  the  write 
current  (Fig.  2(g)),  thus  the  read  and  write  operation  can  be 
distinctly  identified  from  the  current  waveforms.  Fig.  2(h)/3 
shows  the  write/read  current  waveforms  for  4-bit  write/read 
operation  in  STTRAM.  Out  of  16  data  values  only  5  are 
unique  in  terms  of  total  number  of  0’s  and  l’s  (1111,  0111, 
0011,  0001,  0000).  Knowing  the  number  of  0’s  and  l’s 
weakens  the  security  significantly  as  it  reduces  the  reverse 
engineering  effort  to  identify  the  correct  data. 

C.  Temperature: 

The  thermal  stability  (At)  of  STTRAM  is  a  function  of  am¬ 
bient  temperature  and  the  write  current  and  write  latency 
linearly  depends  on  the  thermal  stability.  The  thermal  stabil¬ 
ity  is  given  by  At  =  where  Hk  =  uniaxial  anisotro¬ 

py,  Ms=  saturation  magnetization,  Ar=  area  of  MTJ, 
t=thickness  of  free  layer,  kB=  Boltzmann  constant,  T=  am¬ 
bient  temperature. 


Retention  time  Vs  Volume 


Retention  Time  CDF 


Log(Retention  time) 


Fig.  4  (a)  Retention  time  variation  with  respect  to  MTJ  vol¬ 
ume;  and,  (b)  retention  time  dependence  on  temperature. 
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Fig.  5  Current  waveform  for  4-bit  write  with  1-bit 
parity. 


Fig.  6  (a)  Constant  current  write  circuit  [8];  and,  (b)  write  latency  differ¬ 
ence  with  constant  current  write  (current  in  mA). 


The  write  latency  is  directly  proportional  to  the  write  current 
and  thus  at  lower  temperatures  the  write  latency  increases 
which  provides  adversary  more  time  to  launch  the  attack 
(Fig.  4(b)). 

Prevention  Techniques 

Due  to  the  predominantly  strong  supply  current  signature, 
we  focus  our  efforts  towards  obfuscating  the  write  opera¬ 
tions. 

A.  Semi  Non-  Volatile  Memory  (SNVM): 

SNVM  is  a  non-volatile  memory  with  lower  retention  time 
which  can  find  potential  use  in  cache  application  as  the  data 
is  invalidated  when  the  system  restarts  or  the  virtual  address 
space  is  changed.  The  write  latency  and  write  current  (I) 
linearly  depends  on  the  thermal  barrier  (At)  of  STTRAM. 
The  retention  time  (t)  is  exponentially  related  to  At  by  t  =  C 
x  where  C  and  k  are  fitting  constants.  We  note  that, 
both  write  latency  and  write  current  can  be  lowered  by  re¬ 
ducing  the  free  layer  volume  of  STTRAM  (Fig.  4(a)). 

B.  Adding  1-bit  parity: 

The  objective  of  this  prevention  technique  is  to  merge  multi¬ 
ple  supply  current  levels  in  the  side  channel  current  wave¬ 
form,  which  will  make  it  difficult  for  the  adversary  to  predict 
the  states  accurately.  This  is  achieved  by  writing  an  extra 
parity  bit  along  with  the  original  data.  Fig.  5  shows  the  cur¬ 
rent  waveform  of  4-bit  write  with  1-bit  even  parity.  There¬ 
fore,  instead  of  writing  4  bits  we  write  5  bits  with  the  last  bit 
value  decided  by  the  parity  of  the  4  bits.  By  doing  this  we 
can  merge  5  states  (Fig.  5)  into  3  states.  Compared  to  un¬ 
coded  data  the  reverse  engineering  effort  increases  because  a 
data  will  map  to  more  number  of  possibilities. 

C.  Adding  Random  bits  in  Word: 

To  further  obfuscate  the  signature,  we  propose  to  add  multi¬ 
ple  random  bits  in  the  word  during  write.  This  technique 
further  complicates  and  merges  the  states  in  the  supply  cur¬ 
rent  signature.  For  larger  word  sizes,  the  overhead  from  few 
extra  bits  is  expected  to  be  negligible. 

D.  Constant  Current  Write: 

Constant  current  write  can  be  achieved  by  using  a  current 
mirror  with  voltage  controlled  current  source  (Fig.  6(a)).  The 


two  PMOS  forms  the 
current  mirror  whereas 
the  NMOS  MC  controls 
the  current  to  be  mirrored 
depending  on  the 
STTRAM  resistance  [8]. 

Bias  voltage  (VB)  is  ad¬ 
justed  to  provide  the  ini¬ 
tial  read  current  in  the 
main  branch  which  will 
pass  through  the 
STTRAM  in  the  auxilia¬ 
ry  branch.  However  con¬ 
stant  current  write  will 
create  mismatch  in 
switching  times  between 
‘0’  and  ‘V  states  (Fig.  6(b)).  This  will  affect  the  design  of 
the  word-line  driver  but  the  adversary  will  have  no  clue 
about  the  data  as  the  current  will  remain  constant  throughout 
the  write  access. 

Reducing  power  overhead  of  constant  current  write:  To  en¬ 
sure  functional  correctness,  the  constant  current  approach 
utilizes  the  worst  case  write  current  injected  to  homogenize 
the  write  current.  This  leads  to  power  wastage  while  writing 
logic  ‘1’.  To  address  this  issue,  it  is  possible  to  leverage  the 
trade-off  that  exists  between  write  current  and  error  rate  (as 
shown  in  Fig.  7).  By  lowering  the  write  current  for  both 
‘0->H  and  4l->0’,  the  write-time  of  certain  number  of  bits 
may  fall  beyond  the  worst  latency.  These  bits  contribute  to 
the  write  error  rate.  By  maintaining  the  write  error  rate  under 
permissible  levels  or  increasing  the  permissible  write  latency 
it  is  possible  to  lower  the  power  overhead  of  constant  current 
write. 

Discussions 

A.  Impact  of  Scaling: 

With  technology  scaling  the  MTJ  size  reduces  which  lowers 
the  free  layer  thickness.  The  thermal  stability  (At)  is  linear¬ 
ly  dependent  on  the  free  layer  thickness  and  the  retention 
time  is  exponentially  related  to  At.  There-fore,  the  write  la¬ 
tency  and  write  current  of  STTRAM  is  expected  to  scale 
down  making  it  more  secure  against  power  analysis  attack. 
Introduction  of  perpendicular  magnetic  anisotropy  (PMA) 
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Fig.  7  Homogeneous  write  using 
reduced  write  current. 
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STTRAM  makes  it  further  challenging  for  the  adversary  to 
perform  meaningful  side  channel  attack  due  to  inherently 
lower  write  latency  and  write  current. 

B.  Impact  of  TMR: 

As  described  earlier,  the  TMR  ratio  determines  the  re¬ 
sistance  difference  between  the  two  MTJ  states.  It  is  there¬ 
fore  evident  that,  larger  the  TMR,  greater  will  be  the  differ¬ 
ence  of  resistance  between  the  two  MTJ  states.  For  a  good 
sense  margin,  a  large  TMR  is  always  desired.  How-ever,  this 
can  prove  detrimental  from  a  security  point  of  view  as  it  will 
allow  a  clearer  distinction  between  the  bits  being  writ¬ 
ten/read.  Thus,  improving  the  effectiveness  of  SPA. 

C.  Impact  of  Usage: 

Although  STTRAM  LLC  is  considered  in  this  paper  the  pro¬ 
posed  attack  models  are  equally  applicable  to  the  STTRAM 
main  memory.  Availability  of  dedicated  power  supply 
makes  it  easy  to  probe  main  memory  active  current.  Howev¬ 
er,  cryptographic  keys  cannot  be  revealed  since  the  crypto 
operations  are  performed  on  chip.  Nevertheless,  the  raw  un¬ 
encrypted  sensitive  data  can  be  extracted. 

D.  Impact  of  Magnetic  Tampering: 

External  DC  magnetic  field  of  opposite  strength  could  be 
used  to  increase  the  switching  time  of  MTJ,  which  will  in¬ 
crease  the  attack  window  for  the  adversary.  Thus,  with  the 
help  of  a  common  horseshoe  magnet  the  adversary  can  in¬ 
crease  the  write  latency  to  facilitate  attacks  (especially  for 
constant  voltage  write). 

E.  Cache  Timing  Attack: 

In  shared  computer,  the  main  memory  and  hard  disk  are  pro¬ 
tected  against  use  by  another  user  on  the  same  machine  but 
the  cache  is  not.  If  two  users  are  working  on  the  same  ma¬ 
chine,  the  malicious  user  can  fill  the  entire  cache  with  his 
own  data  and  wait  for  the  other  user  to  perform  secret  opera¬ 
tions  like  encryption.  The  malicious  user  then  measures  the 
loading  time  to  find  which  of  his  data  has  been  replaced  by 
the  other  user  and  learns  about  the  cache  addresses  used  in 
encryption.  This  timing  information  can  be  exploited  for  key 
recovery  of  encryption  algorithms  like  AES  [9].  Since  a 
larger  cache  size  can  be  afforded  with  STTRAM  (due  to 
smaller  footprint  bitcell)  the  number  of  cache  line  replace¬ 
ments  is  expected  to  be  less  alleviating  the  cache  timing  at¬ 
tack.  However,  the  persistence  of  data  can  be  exploited  to 
launch  the  attack  at  a  later  time  to  retrieve  the  sensitive  in¬ 
formation. 

F.  Other  Side  Channels: 

STTRAM  resistance  in  the  parallel  and  anti-parallel  state  is 
in  the  range  of  KQ  (5K-10K)  and  the  write  current  is  in  the 
order  of  juA  (100-150  juA).  Thus,  the  IR  drop  will  be  in  the 
order  of  mV  resulting  in  considerable  droop  in  supply  volt¬ 
age.  The  adversary  can  monitor  the  droops  in  supply  voltage 
to  identify  write  operation  and  the  amount  of  droop  can  give 
out  the  information  about  the  data  being  written  much  like 
supply  current. 


G.  Considerations  for  Other  NVMs: 

Long/asymmetric  write  latency  and  high/asymmetric  write 
current  is  common  challenge  for  other  NVMs  such  as  Resis¬ 
tive  RAM,  Phase  Change  RAM  and  Domain  Wall  Memory. 
Therefore,  the  attack  models  presented  in  this  paper  are 
equally  applicable  to  the  emerging  NVMs.  Due  to  generic 
nature  of  the  solutions  pro-posed  in  this  paper;  similar  tech¬ 
niques  could  also  be  extended  to  other  NVMs  for  mitigation. 

Conclusions 

In  this  paper,  we  showed  that  STTRAM  read/write  current, 
latency  and  asymmetricity  can  be  security  vulnerabilities. 
We  presented  novel  SC  A  models  for  STTRAM  to  compro¬ 
mise  the  sensitive  data  in  LLC.  We  also  provided  a  suite  of 
preventive  countermeasures  such  as  constant  current  write, 
increased  word  size,  SNVM  and  parity  bit  encoding  to  in¬ 
crease  the  reverse  engineering  effort  required  by  the  adver¬ 
sary  to  decipher  the  data  from  read  and  write  current  wave¬ 
forms.  The  proposed  techniques  showed  significant  promise 
to  protect  against  data  privacy  attacks  to  enable  secure  NVM 
design.  The  solutions  proposed  in  this  paper  could  also  be 
extended  to  other  NVMs  for  attack  mitigation. 
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